What You Need to Know About The New Trojan Source Scam

trojan source
Image from Pixabay

If you don’t do the coding of your website, it might be helpful to know about the Trojan Source Scam bug recently found by Krebs on Security. Firstly, the vulnerability has not yet exploited itself. But overlooking a little exposure could impact an entire computer language. Secondly, there could also be supply chain and multi-platforming issues to come. 

Research on the Bidi-Unicode, done by the University of Cambridge, found a weakness in programming algorithms that can lead to ransomware attacks at large.

For example, Nicholas Weaver, a lecturer at the computer science department at the University of California, Berkeley, said the Cambridge research presents “a straightforward, elegant set of attacks that could make supply chain attacks much, much worse.”

Currently, organizations maintain the promise that their computer programming languages will have patches. Patches are imminent from GitHub, GitLab and others. Next, it’s up to the government and tech firms to identify the parts of their software that are susceptible to the trojan source scam. 

Uncovering the Findings From Researchers

The paper found that “injecting Unicode Bidi overrides characters into comments and strings. An adversary can produce syntactically-valid source code in most modern languages. Therefore, the display order of characters presents logic that diverges from real logic. For example, take anagram program A splicing program B.”

For instance, every firm should have gap coverage from this digital hazard. As a result of gap coverage, your software supply chain can implement its defenses when given the heads up. The research done was good at stopping something before it becomes a problem. Now it’s up to specialists like your MSP to ensure this issue halts its tracks.

The fact that the “Trojan Source Scam vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses,” the paper said. “As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses.”

The best thing to do is to leave the IT work to professionals. You don’t need complete expertise in coding to avoid network attacks; you just need to know where to turn to for help. 

Need assistance understanding online privacy and your company’s IT strategy for the new year? Contact 1R Technologies to consult about our service offerings as a premier Managed Service Provider.